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Everyone loves containers 


API Security Breaches are Mounting 


F - Mobile: 
en M Google venmo 


“By 2022 API abuses will be the attack vector most responsible 
for data breaches within enterprise web applications” 
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Why is securing APIs so difficult 
today? 


Proliferation of end points, internet facing APIs, virtual network, 
micro-services architecture, distributed security enforcement 
points 


Enterprise Perimeter 
is Disappearing 


No API Security standards, Complexity of API Security (Integrity, 
Confidentiality, AAA, non-repudiation..), no proven reusable API 
Security policies 


Lack of API Security 
Tools and Standards 


4 Web Application Security is not API Security, multiple solutions to 
UL OS cover part of API Security (CDN, WAF, API Gateway, Code...), API 
LR LINES ER Developers often try to code Security into their APIs 


Distributed, Unified, API Specific Security enforcement points 
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Web App Security API Security 


Traditional White list/Black, 
hard to maintain, False positives 


Positive automatic security 


Operational Model model, DevSecOps 


Centralised or distributed. 


In-line WAF single layer | Deployment | . A 
north-south only, DMZ only Deployment aupport Mieroservices. 


Serverless, East-West, Sidecar 


API Specific attacks 


API request validation (OAS 2.0) 
XML & JSON schema validation 
XML Threat Protection. 
JSON Threat Protection 
JSON Path / JSON Pointer injections 
SQL Injection Vulnerability detection in encrypted 
OAuth Security ext. support PKCE, token binding 
JOSE, draft-cavage-http-signatures 
Cross-Site Scripting attack detection 
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Developers Must use the Standard 
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Changing the API Security Model 


G 
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API Security Pre-built, proven Bring Security into Microservices 
as a commodity security policies DevOps architecture 
compliant 
Controlled by Standards Compliant | Policies are applied 
¡ : as part Docker-based micro 
Security Security Best f API lif API Fi Ii 
Applied by Developers Practices e ee yele ews 


EASY SECURITY PROVEN SECURITY § SECURITY AS CODE § SECURITY AT SCALE 
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API Security 
DevSecOps approach 


Discover 


API AND OPEN API 
DISCOVERY SERVICE 


Discover all the 
APIs you expose & 
consume in the 
enterprise 
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Validate 


API SECURITY 
ASSESSEMENT AND 
SCORING 


API developers 
upload their 
SWAGGER files 
=> API Security 
Assessment report 
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Verify 


SCAN COMPLIANCE 
OF OPEN API SPEC 
AGAINST API 


API developers 
Scan their APIs 
=> Open API 
Compliance 
Report 


Protect 


DEPLOY API FIREWALL 
IN FRONT OF API 


Security team apply API 
Security Policies and Ops 
deploy the API Firewall 


Report 


REAL TIME 
DASHBOARDS OF ALL 
YOU APIs SECURITY 


Real time single pane view 
dashboard availableto 
Developers, Security and 


Operations 
=> API Security 
Dashboards 
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Prebuilt Security Policies and Packages 


Request / 
Response 
Validation 


Token 
Validation 


Package Transport 
Name Constraints 


Data Validation 


TLS version OAuth/OpenID 


and E es Attacks 
CipherSuites Protection 


Protection 
OWASP 


Open 
Banking 
PCI-DSS 

42C 
standard 


Payload 
Crypto- Authentication | Authorization 
Operations 


Fine-grain 
Authorization 
(Scopes/ 
XACML) 


Audit Trail 
and Non 
Repudiation 


Message Identity 
Confidentiality Validation 
& Integrity (ESTI 9131119) 
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End to end API Security Process 


OpenAPI definition and Automatic Security Automated Security Micro-firewall Image Deploy API Firewall to 
code pushed to GitHub Assessmen t Policies Genera tion Generation protect your APIs 
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® Qualys. Enterprise 


E I ) d = tO = E n d API Security ” DASHBOARD EVENTS API DETECTIONS PROTECTION 
e Ra Welcome to Qualys® API Security 
e C u Yl ty Discover, Assess and Protect REST API across your enterprise and cloud hosted assets 
Pl a tfo rm Video Tut 


Get started with these quick steps 


Configure API Collections > 
Create and Manage your collections store and import your Swagger/OpenAPI files 


Create and Manage your API backends 


Protect API Collections > 
002 
Protect your collections using the Security Gateway i 


© Assess your API Collections > Related C 
Assess schema's level of integrity and security. 
Tweet 
© Scan your API for compliancy > Qu 
Scan the API endpoint and check its compliance with the schema a 
Watch 9 st 
Practices \ 
© Scan your API for vulnerability > Qualys dal 
Scan the API endpoint for vulnerabilities 
® Qu 
m Reporti 
e Configure API Enpoints > 
Introductior 
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Thank You 


Jacques Declas 
SFO, A2Crunch 


